New version of L0phtCrack makes cracking Windows passwords easier than ever

Nearly 20 years after the first version and the first update in six years, L0phtCrack has been upgraded to version 7 and claims a speed bump of up to 500 times on the previous version.

According to L0pht Holdings, the firm behind the tool, it has been revamped with a new cracking engine which takes advantage of multi-core CPUs and multi-core GPUs. A 4-core CPU running a brute force audit with L0phtCrack 7 is now five times faster than L0phtCrack 6. It added that users with a GPU such as the AMD Radeon Pro Duo the increase is 500 times.

The release of the original L0phtCrack was 19 years ago and its password cracking capability forced Microsoft to make improvements to the way Windows stored password hashes. Microsoft eventually deprecated the weak LANMAN password hash and switched to only the stronger NTLM password hash it still uses today.

The developers claim that Windows passwords are easier to crack today than they were 18 years ago.

“On a circa-1998 computer with a Pentium II 400 MHz CPU, the original L0phtCrack could crack a Windows NT, 8 character long alphanumeric password in 24 hours. On a 2016 gaming machine, at less hardware cost, L0phtCrack 7 can crack the same passwords stored on the latest Windows 10 in 2 hours,” said the firm in a statement.

It said in a recent study by Praetorian of 100 penetration tests for 75 organizations found that the most prevalent insecure finding in the kill chain, at 66 percent of the time, is weak domain user passwords. It added the tool can be used to audit Windows domains to find weak passwords and then remediate the vulnerability with forced password resets or by disabling unused accounts completely.

Other improvements include password auditing wizard, scheduling, and reporting. An updated password hash importer works seamlessly locally and remotely with all versions of Windows, up to and including Windows 10 “Anniversary Edition”.

Ken Munro, partner at Pen Test Partners, told SCMagazineUK.com that this is an excellent tool for the corporate environment. “It isn't doing anything new, and it probably isn't doing it any faster than hashcat already does, but it is very easy to run against Active Directory,” he said.

“CESG are saying that regular password changing may harm rather than improve security, so it's better to have a good, complex one that you keep for longer. Therefore, companies should be internally auditing password strength in addition to setting a good password policy.”

Stian Andre Markussen, senior software engineer at Promon, told SC that even if this new L0phtcrack version is 500 times faster, a brute-force approach would still take a very long time to crack a password. What I see is that this new version uses more CPU/GPU.

“Using brute force is probably the worst way to crack a password, so if this product hasn't improved the ‘guessing' work around cracking the password, then using more CPU will only help in relative terms,” he said.

Markussen said that password cracking can be done faster, “but the application still requires admin access to the system in order to obtain the password hashes. If it has that, it is free to do anything anyway.”